Cointime

Cointime

Download App
iOS & Android

ZeroTrust Accounts

A proof of concept by Karandeep Singh and Alexander Chopan

What if you could use a passkey as a signer for your embedded smart contract account and reuse the account across other apps? What does that mean and who cares? Try the demo first, then come back here.

React AppWeb site created using create-react-appt.co

The goal of ZeroTrust Accounts is to provide a decentralized, secure, and self-sovereign approach to Ethereum smart contract accounts. How? With non-custodial signers (like passkeys); inbuilt or modular session keys features; server-free information access; and decentralized recovery options. karandeepsingh.eth and I got to these conclusions by working backwards from user goals to engineering solutions and product experience. Here’s the idea 0-1. This is a long post.

  1. Users
  2. Goals
  3. How accounts work today
  4. Account problems
  5. Solutions
  6. Requirements
  7. Features
  8. Proof of concept
  9. User Journey
  10. Code
  11. Demo

1. Users

Alice is a consumer. She uses many applications. She has over 100 accounts. Bob is a developer. He makes blockchain apps for consumers like Alice.

2. Goals

Alice (consumer): wants to enjoy online and onchain activities with friends, collect digital assets, use decentralized apps easily, control her account in various places, and avoid losing account access or data.

Bob (developer): wants to make user-friendly apps for NFT minting, that don’t require users to interrupt activity to approve actions, and can sponsor gas fees for user operations. He wants to use account abstraction and offer smart accounts for a better user experience.

3. How Accounts Work Today

Offchain In the current web model, there are account users and providers. Users require accounts for online activities. They provide personal data to create accounts. These accounts serve as containers for data and have rules. Users access accounts with keys and passwords. They trust providers to keep data safe.

Onchain: externally-owned accounts The Ethereum blockchain operates on an account model with one native type, the externally owned account (EOA). EOAs are controlled by private keys and operated by the account holder who possesses the private key. They are used for sending/receiving transactions and interacting with applications. EOAs are created when a private key is generated and associated with a public address. They do not require on-chain deployment or initial funding. ETH balance — is required for transactions and gas fees. Security relies on the user's management of private keys, and account recovery is not possible if the keys are lost.

Onchain: smart accounts Smart accounts In Ethereum are smart contract code. The code must be deployed to the blockchain before the user can make their first transaction. This requires some initial funds. Smart accounts have programmable features such as transaction batching, multi-signature management, two-factor authentication (2FA) and account recovery. They allow users to pay for gas fees in any token and even have their transactions sponsored. These smart features make them like mini-apps on the blockchain.

Onchain: embedded accounts Onchain embedded accounts are smart contract accounts embedded in specific dapps, allowing users to perform wallet actions directly within the dapp. These accounts are provided instantly by the dapp, removing the need for users to separately create and set up a blockchain account. Access to these accounts is limited to the dapps they are tied to, streamlining the user experience, especially for newcomers to blockchain technology. To create embedded accounts, Bob tests various SDKs from account providers to select the best one. Bob must get API keys from account providers to use their services. In order to get API keys, Bob must create new accounts for himself. Here let’s explore 2 kinds of embedded accounts Bob wants to create — an EOA and passkey based.

4. Account Problems

Not Secure Dapps connect directly to accounts and users authorize blanket access. Ethereum blockchain requires an EOA to make transaction, and to reuse same signer each time. The smart contract account security depends on EOA security. Alice’s and Bob’s security are dependent on the account types and account provider services they choose.

Low Control Users have limited control over their blockchain accounts as their behavior is hardcoded in the Ethereum protocol. For passkey-embedded accounts, apps store and manage passkey meta details in the account provider's databases, creating a dependency. Alice faces the risk of being locked out of the passkey signer if the dapp domain becomes inaccessible, which affects her ability to use her account and Bob's ability to provide her with an account.

Not Smart Users and developers waste time on account management instead of account activity. Users sign each transaction. New technologies like passkeys and embedded wallets complicate multi-account management. Account types have different functionalities and may not be compatible. Different providers interpret account abstraction differently, making it challenging for Alice and Bob to manage and migrate accounts.

5. Solutions

Create accounts that are safer and smarter by continuously removing layers of trust. Provide a decentralized, secure, and self-sovereign approach to Ethereum smart contract accounts. Use non-custodial signers (like passkeys); inbuilt or modular session keys features; server-free information access; and decentralized recovery options.

6. Engineering Requirements

More secure Ensure a secure method for managing signers, including the use of alternative signers that offer higher security than EOAs. Implement layers of separation between different accounts to enhance security. Create unique sessions each time a dapp connects to an account, with session-specific permissions like time limits, token allowances, and spending limits. Determine these permissions by combining various scopes, which are specific target contracts or methods.

More control Users should have easy access to their accounts and use them as desired, without relying on third-party providers.

Smarter They should also be able to easily create smart contract accounts without complex wallet setup. They shouldn’t have to already have an EOA. Users should be able to use dApps quickly and effortlessly, with uninterrupted and signless transactions. Actions should be automated (e.g., pre-approval, scheduling) so that users do not have to create new accounts every time they want to use a dApp.

7. Features

8. Proof of Concept

9. User Journey

Step 1: Create Account User: The user decides to interact with a dapp through its website with the goal of minting an NFT. The user clicks either "Connect Wallet" or "Sign In with Account Provider." This action redirects the user to a sign-in or sign-up page. Existing users sign in to authorize the dapp to use their Zero Trust account. New users create a unique name for their account, and upon entering this name, the ZeroTrust account becomes "created,” and the user can grant the dapp access to it. -

Under the Hood: We associate a passkey with the user's chosen account name, enhancing security. The metadata related to the passkey is securely stored in the user's browser's local storage. Using this metadata, we derive a counterfactual smart contract wallet address.

Step 2: Authorize Dapp User: The user authorizes the dapp to use the account, by choosing the scope to limit what the dapp can do while the session is active. The user signs the user operation, which records session details on the blockchain for security. -

Under the hood: A sessionID is created which defines the scope for activity. The sessionID is committed onchain by signing a transaction using the passkey. This saves the sessionID onchain.

Step 3: Mint NFT User: The user is redirected to the dapp to interact with the dapp, using the authorized ZeroTrust account. The user clicks "mint" and mints the NFT.

Under the hood: Instead of signing each user operation and being interrupted with signature requests, the user submits a zero-knowledge proof for the operation. All operations occur on the user's device.

10. Code

GitHub - KannuSingh/zero-trustContribute to KannuSingh/zero-trust development by creating an account on GitHub.github.com

11. Demo

Created by Karandeep Singh and Alexander Chopan

Powered by Pimlico

Comments

All Comments

Recommended for you

  • Cointime's Evening Highlights for May 24th

    1. CryptoPunks Launches “Super Punk World” Digital Avatar Series

  • An address mistakenly transferred about $7,000 in BTC to Satoshi Nakamoto’s wallet

    According to Arkham monitoring, someone accidentally sent 90% of their BTC assets to Satoshi Nakamoto's wallet address last night. They were trying to swap Ordinal for PupsToken, but ended up sending almost their entire wallet balance - about $7,000 worth of BTC.

  • USDC circulation increased by 200 million in the past 7 days

    According to official data, within the 7 days ending on May 16th, Circle issued 1.8 billion USDC, redeemed 1.6 billion USDC, and the circulation increased by 200 million. The total circulation of USDC is 33.2 billion US dollars, and the reserve is 33.4 billion US dollars, of which 3.8 billion US dollars are in cash, and Circle Reserve Fund holds 29.6 billion US dollars.

  • Bitcoin mining company Phoenix Group released its Q1 financial report: net profit of US$66.2 million, a year-on-year increase of 166%

    Phoenix Group, a listed mining company and blockchain technology provider for Bitcoin, released its Q1 financial report, with the following main points:

  • Pudgy Penguins and Lotte strategically cooperate to expand into the Korean market, and the floor price rose by 3.1% on the 7th

    The NFT series "Pudgy Penguins" has recently announced a strategic partnership with South Korean retail and entertainment giant Lotte Group on the X platform to expand its market in South Korea and surrounding areas. More information will be announced in the future. According to CoinGecko data, the floor price of Pudgy Penguins is currently 11.8 ETH, with a 7-day increase of 3.1%.

  • CryptoPunks Launches “Super Punk World” Digital Avatar Series

    Blue-chip NFT project CryptoPunks announced the launch of "Super Punk World" on X platform, which is the project's first release of 500 digital avatars inspired by the iconic CryptoPunks features and combined with Super Cool World attributes. It is reported that the series may launch auctions in the future, and more details about the collection and auction of this series will be announced soon.

  • Core Foundation launches $5 million innovation fund

    CoreDAO announced in a post on X platform that the Core Foundation has launched a $5 million innovation fund. The fund is currently mainly targeting the Indian market and has established strategic partnerships with the Indian Institute of Technology Bombay and some top venture capital companies to support the development of innovative blockchain projects in the country. At present, the fund has opened project funding applications.

  • Drift Foundation: The governance mechanism is gradually being improved, and DRIFT is one of the components

    The Drift Foundation stated on the X platform that the DRIFT token is a component of governance and a key element in empowering the community to shape the future. The governance mechanism is gradually improving, and more information will be announced soon.

  • U.S. Department of Justice: Two Chinese nationals arrested for allegedly defrauding at least $73 million through cryptocurrency investments

    According to the official website of the United States Department of Justice, a complaint from the central region of California was made public yesterday, accusing two Chinese nationals of playing a major role in a money laundering scheme involving cryptocurrency investment fraud.Daren Li, 41 years old, is a dual citizen of China and St. Kitts and Nevis, and is also a resident of China, Cambodia, and the United Arab Emirates. He was arrested on April 12th at Hartsfield-Jackson Atlanta International Airport and later transferred to the central region of California. Yicheng Zhang, 38 years old, is a Chinese national currently residing in Temple City, California. He was arrested yesterday in Los Angeles. Today, they are accused of leading a money laundering scheme related to an international cryptocurrency investment scam, involving at least $73 million. These arrests were made possible thanks to the assistance of our international and US partners, demonstrating the Department of Justice's commitment to continuing to combat the entire cybercrime ecosystem and prevent fraud in various financial markets.

  • Hong Kong expands digital yuan pilot to allow e-CNY wallets for cross-border payments

    The Hong Kong Monetary Authority and the People's Bank of China have expanded their cross-border digital yuan pilot to allow Hong Kong residents to use e-CNY wallets for cross-boundary payments. The digital yuan is China's central bank digital currency, which has been piloted for several years and is among the most advanced of its kind globally. Users can set up wallets using just a phone number and top them up in real-time through 17 Hong Kong retail banks. The HKMA plans to work with the Digital Currency Institute to explore enhancing interoperability in payments and corporate use cases, such as cross-border trade settlement.

Daily Must-Read

Popular Activities

Delysium $AGI & AI Private Yacht Party

Delysium $AGI & AI Private Yacht Party

March 27 - March 27
Seoul

Popular Tags

Cointime
News
Contents
RSS
Company